Converting from Netscape Enterprise to Apache

This is a log of the steps I went through to convert from Netscape
Enterprise server (doing SSL) to Apache with mod_ssl. Most of this is
pretty straight forward, but I include it here so that others can get
maximum benefit.

The method covered here is for the case where you have the
certificate from your Certificate Authority (CA) and wish to extract
the keys from your webserver. If you need extract the
certificate that you received from the CA, then these
instructions probably won't help you.

Software used:

Navigator 3.04 on RH Linux v 6.2

Communicator 4.72 on RH Linux v 6.2

From Netscape Enterprise Server 3.62 to Apache 1.3.12 on Solaris 2.6.

OpenSSL 0.9.5 on RH 6.2

Since writing this page, I've done a little more looking around. Here
is some information that may be useful.

Getting the keys from Netscape

These instructions are based on the ones found on Dr. Stephen N.
Henson's site. I've expanded on them slightly to make them less
of a general overview and more of a step-by-step recipe.

You will need a 3.x version of Netscape's Navigator (which I will
refer to here as "Navigator") as well as a 4.x version of Communicator
("Communicator"). I have copied the binary of Navigator 3.04 for Linux from the Mandrake
Linux RPM here because it was the only copy I found and I don't want
to lose it if I need it later.

Copy the server key and the server cert from your netscape
server to your local home directory. In my case, this
was /opt/suitespot/alias/secure-key.db and
/opt/suitespot/alias/secure-cert.db.

mv ~/.netscape ~/netscape-save

Start Navigator 3.x and immediately exit
the program. This creates a new ~/.netscape directory.

Select "Passwords" and then click the "Change Password" or "Set
Password" (if you removed the password in the 3.x session)
button that appears. Use the dialog to change the password (or
set it) and then exit Netscape to make sure it worked.

If you have the PEM format cert (It should contain the line
-----BEGIN CERTIFICATE------), then skip down to
the mime.type modification step.

If you have the cert in PKCS12 format (which I was able to get because Thawte keeps the old ones on
file), then start up Communicator, click on the lock icon to
bring up the "Security Info" dialog and select "Yours" and then
"Import a Certificate". After you've done that successfully,
you should see your key sitting in the select box. You can now
skip down to exporting a key.

Since you are on this step, I'm assuming that you don't have the
PEM format cert or the PKCS12 format cert. You'll need to get
the cert out of the .db file or
create a fake one. If you create a fake one, you'll need to
tell your CA that you lost your old one and need a new one.
To create a fake certificate, generate a certificate
signing request for the key from the web-based admin
interface in Netscape. My particular server
runs at port 8888, so I went to
http://example.com:8888/, chose "Keys & Certificates"
and then "Request Certificate". I went through the process and
then saved the CSR to a file name newreq.pem.
Make sure you are requesting a new signature and not a
renewal. The only difference is the wrapper lines that
read "BEGIN ..." and "END ..."

Using the CA.pl
program that comes with OpenSSL (which was in
/var/ssl/misc on my machine), create a new CA. This
was simply /var/ssl/misc/CA.pl -newca and filling in
the requested info. Important:If you simply
hit return in response to these questions, Communicator will
crash when you click on the lock icon while viewing the server's
secured pages.

$ /var/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Using configuration from /var/ssl/openssl.cnf
Generating a 1024 bit RSA private key
................................++++++
.................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Louisiana
Locality Name (eg, city) []: New Orleans
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []: web
Common Name (eg, YOUR name) []: example.com
Email Address []: mah@everybody.org

Start up Communicator again. Go to "File", "Open Page...", "Browse" and then
select the newcert.pem file. You should be prompted for the
password you last entered to protect the key.db. After entering
it, Communicator will return to the page you were viewing
before.

Note that while this worked for me, it may not work for
you. If it does not work for you, remove the entry in your
~/.mime.types file. You need to get your browser to
recognise the file. You may be able to do this by temporarily
putting the .pem file in your webserver's htdocs directory and telling it to
serve up .pem files as application/x-x509-user-cert files. The
following line would be needed in apache's mime.types file:

application/x-x509-user-cert pem

Click on the lock icon to bring up the "Security Info page again.

There is a heading "Certificates" and under that "Yours". Click
on the "Yours". In the select box, you should see the server's key.

Highlight the key and select "Export". Follow the prompts and
once you are done, you will have the key in PKCS12 format.